RESTful API for managing a university's timetable system Backend
To run this project locally, follow these steps:
-
Create a New Folder Open it
-
Press Alt + D to select the address bar.
-
Type cmd and press Enter. This will open a command prompt window with the current folder as its location. (this method will open a command prompt window with the directory set to the folder you specified, allowing you to run commands directly in that folder)
-
Clone the repository to your local machine using Git:
git clone github_repo_link
- Navigate to the project directory
cd backend
- Install the project dependencies using npm.
npm i
- run
npm start
- Node.js
- Express.js
- MongoDb
- JavaScript
- jsonwebtoken for session management.
- bcrypt for Hashing passwords.
- Winston Logger for Log critical information for audit and diagnostic purposes.
- Jest for Unit Testing.
- Helmet js helps secure Express apps by setting HTTP response headers.
- OWASP ZAP proxy security for testing
- Postman API end point check and integration testing
- artillery.io for performance testing.
- User Roles and Authentication:
- Define multiple user roles (e.g., Admin, Faculty, Student) with different access levels.
- Implement secure login functionality and session management using JWT.
- Course Management:
- Allow CRUD operations on courses, including course name, code, description, and credits.
- Enable Admins to assign Faculty to courses.
- Timetable Management:
- Facilitate the creation and modification of weekly timetables for different courses.
- Include functionality to add, update, and delete class sessions, specifying the course, time, faculty, and location.
- Room and Resource Booking:
- Manage classrooms and resources (e.g., projectors, labs) availability.
- Allow booking of rooms and resources for classes or events, ensuring no overlaps.
- Student Enrollment:
- Enable students to enroll in courses and view their timetables.
- Allow Faculty and Admins to view and manage student enrollments in courses.
- Notifications and Alerts:
- Implement a system to notify users of timetable changes, room changes, or important announcements.
The request method is the way we distinguish what kind of action our endpoint is being "asked" to perform. For example, GET
pretty much gives itself. But we also have a few other methods that we use quite often.
Method | Description |
---|---|
GET |
Used to retrieve a single item or a collection of items. |
POST |
Used when creating new items e.g. a new user, post, comment etc. |
PATCH |
Used to update one or more fields on an item e.g. update e-mail of user. |
PUT |
Used to replace a whole item (all fields) with new data. |
DELETE |
Used to delete an item. |
Method | URL | Description |
---|---|---|
POST |
http://localhost:8080/api/v1/users/ |
Create a new User Registration. |
- Validate fields to ensure data integrity.
- Password validation rules enforce requirements such as containing at least one uppercase letter, one special character, and one number. Implement password complexity validation using Joi.
- Alert when a user with the given email already exists.
- Implement password hashing for security purposes.
Method | URL | Description |
---|---|---|
POST |
http://localhost:8080/api/v1/auth/ |
User Login. |
- Inform users of invalid email or password during login attempts."
- After a successful login, a token will be generated with an expiration time.
Method | URL | Description |
---|---|---|
GET |
http://localhost:8080/api/v1/users/admin/dashboard |
Access Granted Admin Dashbord |
GET |
http://localhost:8080/api/v1/users/faculty/dashboard |
Access Granted Faculty Dashbord |
GET |
http://localhost:8080/api/v1/users/student/dashboard |
Access Granted Student Dashbord |
- The authorized user’s token. This is used to gain access to protected endpoint.
Header key | Value | Value |
---|---|---|
Authorization |
Bearer GeneratedToken | After a Successful loging Generates a token with limited expire time use that as the token. |
Method | URL | Description |
---|---|---|
GET |
http://localhost:8080/api/v1/courses/ |
Retrieve all course. |
POST |
http://localhost:8080/api/v1/courses/ |
Create a new User Registration. |
POST |
http://localhost:8080/api/v1/courses/:id/assign-faculty |
Assign Faculty to Course. |
GET |
http://localhost:8080/api/v1/courses/:id |
Retrieve course by ID. |
PATCH |
http://localhost:8080/api/v1/courses/:id |
Update course by ID. |
DELETE |
http://localhost:8080/api/v1/courses/:id |
Delete course by ID. |
- To assign faculty to course login as admin, use the generated token
Method | URL | Description |
---|---|---|
GET |
http://localhost:8080/api/v1/timetables/ |
Retrieve all Timetables. |
POST |
http://localhost:8080/api/v1/timetables/ |
Create a new Timetable. |
GET |
http://localhost:8080/api/v1/timetables/:id |
Retrieve Timetable by ID. |
PATCH |
http://localhost:8080/api/v1/timetables/:id |
Update Timetable by ID. |
DELETE |
http://localhost:8080/api/v1/timetables/:id |
Delete Timetable by ID. |
- When time table updateed Locate enrolled students for the updated courses on a daily basis and send out notifications.
Method | URL | Description |
---|---|---|
GET |
http://localhost:8080/api/v1/classrooms/ |
Retrieve all Classrooms. |
POST |
http://localhost:8080/api/v1/classrooms/ |
Create a new Classroom. |
GET |
http://localhost:8080/api/v1/classrooms/:id |
Retrieve Classroom by ID. |
PATCH |
http://localhost:8080/api/v1/classrooms/:id |
Update Classroom by ID. |
DELETE |
http://localhost:8080/api/v1/classrooms/:id |
Delete Classroom by ID. |
Method | URL | Description |
---|---|---|
GET |
http://localhost:8080/api/v1/resources |
Retrieve all Resources. |
POST |
http://localhost:8080/api/v1/resources |
Create a new Resources. |
GET |
http://localhost:8080/api/v1/resources/:id |
Retrieve Resources by ID. |
PATCH |
http://localhost:8080/api/v1/resources/:id |
Update Resources by ID. |
DELETE |
http://localhost:8080/api/v1/resources/:id |
Delete Resources by ID. |
Method | URL | Description |
---|---|---|
GET |
http://localhost:8080/api/v1/bookings |
Retrieve all Bookings. |
POST |
http://localhost:8080/api/v1/bookings/ |
Create a new Bookings. |
GET |
http://localhost:8080/api/v1/bookings/:id |
Retrieve Bookings by ID. |
PATCH |
http://localhost:8080/api/v1/bookings/:id |
Update Bookings by ID. |
DELETE |
http://localhost:8080/api/v1/bookings/:id |
Delete Bookings by ID. |
- The classroom has a specific capacity; when assigning resources, ensure it does not exceed this capacity. Additionally, check if the classroom is already booked for the specified date and time, and verify if any of the resources are already reserved for the same date and time.
- Check if total resource capacity exceeds classroom capacity.
- Check if classroom is already booked for the specified date and time.
- Check if any of the resources are already booked for the specified date and time.
Method | URL | Description |
---|---|---|
GET |
http://localhost:8080/api/v1/enrollments/ |
Retrieve all Enrollments Only Admin and Faculty have Access. |
POST |
http://localhost:8080/api/v1/enrollments/ |
Create a new Enrollment. |
GET |
http://localhost:8080/api/v1/enrollments/timetable |
Retrieve timetable for enrolled students. |
PATCH |
http://localhost:8080/api/v1/enrollments/:id |
Update Enrollment By ID Permisson only for Admin and Faculty. |
DELETE |
http://localhost:8080/api/v1/enrollments/:id |
Delete Enrollment By ID Permisson only for Admin and Faculty. |
- Only enrolled students have access to the timetable.
- Faculty and admins are granted permission to view and manage student enrollments in courses
Method | URL | Description |
---|---|---|
GET |
http://localhost:8080/api/v1/notifications/ |
Retrieve all Notifications accessible only by Admin and Faculty. |
POST |
http://localhost:8080/api/v1/notifications/ |
Create a new Notifications accessible only by Admin and Faculty. |
GET |
http://localhost:8080/api/v1/notifications/:Userid |
Retrieve Notification By UserID. |
PATCH |
http://localhost:8080/api/v1/notifications/:id |
Update Notifications accessible only by Admin and Faculty. |
DELETE |
http://localhost:8080/api/v1/notifications/:id |
Delete Notifications accessible only by Admin and Faculty. |
- Notify users about timetable changes, room changes, or important announcements.
- Admins and faculty members can update and delete notifications by ID.
One of the most important things in an API is how it returns response codes. Each response code means a different thing and consumers of your API rely heavily on these codes.
Code | Title | Description |
---|---|---|
200 |
OK |
When a request was successfully processed (e.g. when using GET , PATCH , PUT or DELETE ). |
201 |
Created |
Every time a record has been added to the database (e.g. when creating a new user or post). |
304 |
Not modified |
When returning a cached response. |
400 |
Bad request |
When the request could not be understood (e.g. invalid syntax). |
401 |
Unauthorized |
When authentication failed. |
403 |
Forbidden |
When an authenticated user is trying to perform an action, which he/she does not have permission to. |
404 |
Not found |
When URL or entity is not found. |
440 |
No accept header |
When the required "Accept" header is missing from the request. |
422 |
Unprocessable entity |
Whenever there is something wrong with the request (e.g. missing parameters, validation errors) even though the syntax is correct (ie. 400 is not warranted). |
500 |
Internal server error |
When an internal error has happened (e.g. when trying to add/update records in the database fails). |
502 |
Bad Gateway |
When a necessary third party service is down. |
-
Security
- hashing passwords using bcrypt
- When store passwords in a database, it's important to store them securely to prevent unauthorized access. Simply storing passwords in plain text is a significant security risk because if the database is compromised, all passwords would be exposed.
- using bcrypt to hash it along with a random salt, and storing the resulting hash and salt securely in a database.
- Helmet Js
- Helmet js helps secure Express apps by setting HTTP response headers.
- By adding app.use(helmet()), Helmet.js is now applied as middleware to Express application. This will automatically set various HTTP headers to secure application against common vulnerabilities, such as Cross-Site Scripting (XSS), Clickjacking, and other.
- Enhanced Security: Shields against common API vulnerabilities.
- Attack Prevention: Guards against XSS, CSRF, and more.
- XSS & CSRF Protection: Blocks script injections and request forgery.
- Content Security Policy (CSP): Defines trusted content sources, preventing injection attacks.
- MIME Sniffing Prevention: Stops browsers from serving malicious content.
- Referrer Policy Control: Manages referrer information to prevent data leakage.
- NoCache Middleware: Ensures sensitive API responses aren't cached for data privacy.
- Easy Integration: Quick setup with Express.js for immediate security boosts.
- Ongoing Updates: Actively maintained for continuous protection against evolving threats.
- Before Adding Helmet js
- After Adding Helmet js
- Database Design.
- Code Quality and Documentation.
- Error Handling and Logging Used Winston logger to Log critical information for audit and diagnostic purposes.
Implement unit tests for individual components and functions to validate their behavior in isolation.
- updated .env for New Database for testing perpose.
DB =mongodb+srv://vishwaud:[email protected]/unittest?retryWrites=true&w=majority&appName=ClusterX
- Setting up Jest for unit testing
- Install Dependencies.
npm install jest supertest --save-dev npm i jest supertest cross-env
- Update Package.JSON.
"scripts": { "test": "cross-env NODE_ENV=test jest --testTimeout=5000", "start": "nodemon server.js" },
- Create a Folder Name test. then create a file there called example.test.js.
- Then Write Unit Test Cases.
- Run Test cases
npm test filename.test.js
Comprehensive unit tests covering all components.
Register User
Login User
Course
Timetable
Classroom
Resource
Bookings
Enrollments
Notifications
Integration testing with Postman involves sending HTTP requests to API endpoints and verifying that the responses match the expected behavior.
- Install Postman
- Create a new Collection
- Add Requests to the Collection
- Choose the HTTP method (GET, POST, PUT, DELETE, etc.) that corresponds to the endpoint you want to test.
- Define Tests in Test section Write Test Script.
- go to collection then run tab.
- Run Integration Tests
integration Test using Postman Link to document.
- OWASP Zap
- Start OWASP ZAP on your system.
- Configure ZAP Proxy:
- Navigate to the "Tools" menu and select "Options."
- Under the "Local Proxy" section, note the IP address and port number where ZAP is listening for proxy requests set localhost 8081.
- Configure Postman file Settings (ctrl + comma) Proxy use coustom proxy configaration localhost 8081.
- Explore APIs Send request from postman.
- Access the APIs you want to test using postman.
- Spider the APIs
- In ZAP, go to the "Spider" tab.
- Enter the base URL of the APIs and click "Start Scan.".
- Active Scan:
- After spidering is complete, go to the "Active Scan" tab.
- Click on "Start Scan" to begin the active scanning process.
- Review Scan Results:
- Once the scan is complete, navigate to the "Alerts" tab.
- Generate Reports:
- ZAP allows you to generate reports summarizing the findings of your security testing.
- Go to the "Report" tab.
- Install Atrillert.io
npm install -g artillery
- sample test:
config:
target: http://localhost:8080
phases:
- duration: 20
arrivalRate: 5
name: Startup phase
scenarios:
- flow:
- get:
url: "/api/v1/courses"
- example: run performance test
npx artillery run performance/demo_api_load.yml
- Generate report
npx artillery run performance/demo_api_load.yml --output performance/report.json
- HTML Format
npx artillery report performance/report.json --output performance/report.html
- Performance test by Artillery
- Performance test by postman.